Files
alembic/pipeline/lib/_spotify_auth.py
T
andrew e5d9c7f043 0.6: Spotify OAuth connect flow, AzuraCast base URL, fingerprint/buy-url fixes
- Add "Connect Spotify" OAuth flow (/connect/spotify) so newly created Spotify
  apps can read playlists: Spotify now requires a user token for playlist
  reads, which client-credentials alone can no longer provide. The stored
  refresh token is rendered as spotify-refresh into each playlist's sldl
  .conf -- sldl's own docs confirm supplying it skips its interactive login
  flow, which is what was causing multi-hour hangs on a stuck sync.
  Grandfathered apps keep working unchanged if no account is connected.
- Fix the connect flow's redirect_uri: request.url_for() reflected the raw
  connection scheme (http) rather than what the reverse proxy actually
  served over, which Spotify's exact-match redirect_uri check rejected.
  Force https rather than trust the unproxied scheme.
- Add an AzuraCast base URL credential field alongside the API key, with a
  keyfile fallback so the scheduled enrich-buy-url.py job can actually reach
  AzuraCast (previously it had no way to receive a base URL at all when run
  from the scheduler, so the reprocess call was silently always skipped).
- Fix build-fingerprint-index.py exiting non-zero on any single fingerprint
  failure instead of only when nothing was written.
- Guard enrich-buy-url.py's AzuraCast reprocess against an empty
  --azuracast-base (raised ValueError since PD2 removed the hardcoded base).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-14 11:16:55 -06:00

44 lines
1.8 KiB
Python

"""Shared Spotify Client-Credentials token fetch for the pipeline scripts.
The scripts (spotify-retag.py, spotify-genre.py, fix-track-metadata.py) each
run as `python /app/pipeline/lib/<name>.py`, so this directory is on sys.path
and they can `from _spotify_auth import get_token`. Each still sources its own
credentials (env vars vs a rendered .env file); only the token request itself,
which was copy-pasted four ways, lives here.
"""
import base64
import json
import urllib.parse
import urllib.request
_TOKEN_URL = "https://accounts.spotify.com/api/token"
_cache: dict[tuple[str, str, str | None], str] = {}
def get_token(client_id: str, client_secret: str, refresh_token: str | None = None) -> str:
"""Return an access token, cached per (id, secret, refresh_token) for the
life of the process. If refresh_token is set (an account has been
connected via /connect/spotify), mints a user token -- required for
playlist reads on newly created Spotify apps, which reject
client-credentials tokens. Otherwise falls back to client-credentials."""
key = (client_id, client_secret, refresh_token)
if key in _cache:
return _cache[key]
creds = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
grant = (
{"grant_type": "refresh_token", "refresh_token": refresh_token}
if refresh_token
else {"grant_type": "client_credentials"}
)
req = urllib.request.Request(
_TOKEN_URL,
data=urllib.parse.urlencode(grant).encode(),
headers={
"Authorization": f"Basic {creds}",
"Content-Type": "application/x-www-form-urlencoded",
},
)
with urllib.request.urlopen(req, timeout=15) as r:
_cache[key] = json.loads(r.read())["access_token"]
return _cache[key]